Over 11,500 Ethereum (ETH) worth approximately $33 million was locked permanently under a smart contract, unreachable even to the development team, in the highly anticipated NFT project Akutars over the weekend due to both an exploit and a glitch.
The exploit, on the other hand, was carried out by someone attempting to expose a flaw in the project rather than to steal funds through a hack.
On Friday, April 22, the project went live with a Dutch Auction, a sort of auction in which the price drops until a bid is received, with the first bidder winning the sale as long as the price is over the reserve.
Only 5,495 of the possible 15,000 NFTs were up for sale when the auction began at 3.5 Ethereum, with the smart contract set to repay any bidders who were underbid. Each minted NFT was discounted by 0.5 Ethereum for holders of a “Aku Mint Pass.”
The $33 Million Bug Attack
0xInuarashi, a creator of numerous NFT projects, revealed in a Twitter thread on April 23 that Akutars’ smart contract was built so that reimbursements to bidders had to be handled first before the team could withdraw any funds.
The contract said that the team must submit a certain number of bids before being allowed to withdraw, however the minimum number of bids was set to equal the number of NFTs available for auction.
Unfortunately, the conditions of the contract mean that the approximately $33 million in Ethereum will never unlock due to some bidders minting several NFTs in the same bid.
The Exploitation
Developers reached out to the Akutars warning that their contract may be attacked, according to a now-deleted tweet shared by DeFi developer foobar, but they appeared to blow them off totally, labeling the potential vulnerability a “feature.”
During the mint, an anonymous individual executed a “griefing contract,” which prevented the Akutars contract from processing reimbursements to underbidders. The individual even sent a message to the Akutars team on the blockchain, stating that the contract would be terminated:
“Well, this was fun, had no intention of actually exploiting this lol.”
“Otherwise I wouldn’t have used Coinbase. Once you guys publicly acknowledge that the exploit exists,”
“I will remove the block immediately.”
Akutars quickly responded by accepting responsibility for the code, claiming that the attack “was not done maliciously” and that the individual “wanted to raise attention to acceptable practices for highly visible projects.”
Micah Johnson, the project’s founder and former pro-baseballer, apologized to the community in a tweet the same day, saying that despite letting them down, he will “continue to build brick by brick” and strive relentlessly to avoid any future troubles.
The company also announced that pass holders will receive 0.5 Ethereum reimbursements, as well as airdropping the NFT to successful bidders.
The team announced in an update on Sunday, April 24, that it had rebuilt its minting contract, which had been inspected by many developers, and that it planned to mint on Monday, April 25.
Related Posts – Elon Musk, a Dogecoin supporter, has decided not to join the Twitter board of directors
